Policy #12

By cliangNo Comments
In the illustration, there is implicit EXCEPT WITH PERMIT in real life. However, the bilingual "except's" are inconsistent.The Chinese version is except just bi-cycles. The English version is cycles. There are variations of "cycles": bi-cycle, tri-cycle, motor-cycle. This will create confusion for enforcement and compliance. A better version should be "Except non-motor vehicles". So, bi-cycle, tri-cycle, trolley, scroller are all allowed. This is precise generic. ...
Read More

Policies #11

By cliangNo Comments
Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose - this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board. Writing good cybersecurity policies will require these as foundation: The policy maker must understand the business model, what outcomes to be delivered What are the risk appetite the organization willing to take, after all, there won't be 100% secure business in the world How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber What are peers or the industry doing, is the bar setting too high or too low That said, don't just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule. ...
Read More

Security By Trust

By cliangNo Comments
In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Responsibility

By cliangNo Comments
I saw certain cyber security awareness poster has stated that keeping cyber secure is a shared responsibility. In certain way, this is true. Each of us plays a different part to protect the assets in the digital world. But "shared responsibility" appears as no one will take accountability and any one will think someone will take the lead to secure. In the illustration, you are responsible to well equip yourself to enter into the wild. You are well informed "You must be properly prepared to meet these hazards on their own terms. This is your responsibility." That should apply to the digital world and "shared" responsibility isn't the proper term and tone. ...
Read More

No Direction

By cliangNo Comments
The principle of governance is to enforce processes are conducted consistently per established and approved policies or directions in an organization. That way, the business outcomes are also consistent. Some incompetent cyber security practitioners I have seen are just play by ear to spell out requirements for what they think is more secure. without considering practicality and the underlying overheads. An example is to keep an register to record which OT system uses USB thumb drive. All OT systems use USB because of isolated network environment for file exchange. The key point is how to manage the use of USB securely rather than keeping such a register. We must ask how much protection is increased by adding protection (no matter technical control or administrative control) and will more risks be introduced if not doing so. We must stick to the established policies. If there are "bugs" in the policies, admit it. Schedule revisions with stakeholders involved to align with...
Read More